Gnocchi: many chart fixes

This PS fixes ceph pool creation and secret management, RBAC and
Image naming conventions for the Gnocchi chart.

Change-Id: I8ad569f9420e3575d6c26c5933f23048096161f5
This commit is contained in:
portdirect 2017-12-28 20:35:24 -05:00
parent 5178f3d926
commit e75f443f05
13 changed files with 173 additions and 61 deletions

View File

@ -4,3 +4,4 @@
caps mds = "allow"
caps mon = "allow *"
caps osd = "allow *"
caps mgr = "allow *"

View File

@ -0,0 +1,24 @@
#!/bin/bash
{{/*
Copyright 2017 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
set -ex
exec kubectl delete secret \
--namespace ${NAMESPACE} \
--ignore-not-found=true \
${RBD_POOL_SECRET}

View File

@ -28,8 +28,9 @@ set -ex
ceph -s
function ensure_pool () {
ceph osd pool stats $1 || ceph osd pool create $1 $2
ceph osd pool application enable $1 $3
}
ensure_pool ${RBD_POOL_NAME} ${RBD_POOL_CHUNK_SIZE}
ensure_pool ${RBD_POOL_NAME} ${RBD_POOL_CHUNK_SIZE} "gnocchi-metrics"
if USERINFO=$(ceph auth get client.${RBD_POOL_USER}); then
KEYSTR=$(echo $USERINFO | sed 's/.*\( key = .*\) caps mon.*/\1/')
@ -39,6 +40,7 @@ else
ceph auth get-or-create client.${RBD_POOL_USER} \
mon "allow *" \
osd "allow *" \
mgr "allow *" \
-o ${KEYRING}
fi

View File

@ -24,6 +24,8 @@ metadata:
data:
storage-init.sh: |+
{{ tuple "bin/_storage-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
clean-secrets.sh: |+
{{ tuple "bin/_clean-secrets.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
db-init.sh: |+
{{ tuple "bin/_db-init.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
db-init.py: |+

View File

@ -44,7 +44,7 @@ spec:
initContainers:
{{ tuple $envAll $dependencies $mounts_gnocchi_metricd_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
- name: ceph-keyring-placement
image: {{ .Values.images.tags.api }}
image: {{ .Values.images.tags.gnocchi_api }}
imagePullPolicy: {{ .Values.images.pull_policy }}
command:
- /tmp/ceph-keyring.sh
@ -61,7 +61,7 @@ spec:
readOnly: true
containers:
- name: gnocchi-metricd
image: {{ .Values.images.tags.metricd }}
image: {{ .Values.images.tags.gnocchi_metricd }}
imagePullPolicy: {{ .Values.images.pull_policy }}
{{ tuple $envAll $envAll.Values.pod.resources.metricd | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
command:

View File

@ -43,7 +43,7 @@ spec:
initContainers:
{{ tuple $envAll $dependencies $mounts_gnocchi_statsd_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
- name: ceph-keyring-placement
image: {{ .Values.images.tags.api }}
image: {{ .Values.images.tags.gnocchi_api }}
imagePullPolicy: {{ .Values.images.pull_policy }}
command:
- /tmp/ceph-keyring.sh
@ -60,7 +60,7 @@ spec:
readOnly: true
containers:
- name: gnocchi-statsd
image: {{ .Values.images.tags.statsd }}
image: {{ .Values.images.tags.gnocchi_statsd }}
imagePullPolicy: {{ .Values.images.pull_policy }}
{{ tuple $envAll $envAll.Values.pod.resources.statsd | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
command:

View File

@ -48,7 +48,7 @@ spec:
initContainers:
{{ tuple $envAll $dependencies $mounts_gnocchi_api_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
- name: ceph-keyring-placement
image: {{ .Values.images.tags.api }}
image: {{ .Values.images.tags.gnocchi_api }}
imagePullPolicy: {{ .Values.images.pull_policy }}
command:
- /tmp/ceph-keyring.sh
@ -65,7 +65,7 @@ spec:
readOnly: true
containers:
- name: gnocchi-api
image: {{ .Values.images.tags.api }}
image: {{ .Values.images.tags.gnocchi_api }}
imagePullPolicy: {{ .Values.images.pull_policy }}
{{ tuple $envAll $envAll.Values.pod.resources.api | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
command:

View File

@ -0,0 +1,99 @@
{{/*
Copyright 2017 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.job_clean }}
{{- $envAll := . }}
{{- $dependencies := .Values.dependencies.clean }}
{{- $randStringSuffix := randAlphaNum 5 | lower }}
{{- $serviceAccountName := print "gnocchi-clean-" $randStringSuffix }}
{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
name: {{ $serviceAccountName }}
annotations:
"helm.sh/hook": pre-delete
"helm.sh/hook-delete-policy": hook-succeeded
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- delete
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: {{ $serviceAccountName }}
annotations:
"helm.sh/hook": pre-delete
"helm.sh/hook-delete-policy": hook-succeeded
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ $serviceAccountName }}
subjects:
- kind: ServiceAccount
name: {{ $serviceAccountName }}
namespace: {{ $envAll.Release.Namespace }}
---
apiVersion: batch/v1
kind: Job
metadata:
name: {{ print "gnocchi-clean-" $randStringSuffix }}
annotations:
"helm.sh/hook": pre-delete
"helm.sh/hook-delete-policy": hook-succeeded
spec:
template:
metadata:
labels:
{{ tuple $envAll "gnocchi" "clean" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
spec:
serviceAccountName: {{ $serviceAccountName }}
restartPolicy: OnFailure
initContainers:
{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
containers:
- name: gnocchi-rbd-secret-clean
image: {{ .Values.images.tags.gnocchi_storage_init }}
imagePullPolicy: {{ .Values.images.pull_policy }}
{{ tuple $envAll $envAll.Values.pod.resources.jobs.clean | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
env:
- name: NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: RBD_POOL_SECRET
value: {{ .Values.secrets.rbd | quote }}
command:
- /tmp/clean-secrets.sh
volumeMounts:
- name: gnocchi-bin
mountPath: /tmp/clean-secrets.sh
subPath: clean-secrets.sh
readOnly: true
volumes:
- name: gnocchi-bin
configMap:
name: gnocchi-bin
defaultMode: 0555
{{- end }}

View File

@ -14,22 +14,22 @@ See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.job_db_init_keystone }}
{{- if .Values.manifests.job_db_init }}
{{- $envAll := . }}
{{- $dependencies := .Values.dependencies.db_init_keystone }}
{{- $dependencies := .Values.dependencies.db_init }}
{{- $serviceAccountName := "gnocchi-db-init-keystone" }}
{{- $serviceAccountName := "gnocchi-db-init" }}
{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
---
apiVersion: batch/v1
kind: Job
metadata:
name: gnocchi-db-init-keystone
name: gnocchi-db-init
spec:
template:
metadata:
labels:
{{ tuple $envAll "gnocchi" "db-init-keystone" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
{{ tuple $envAll "gnocchi" "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
spec:
serviceAccountName: {{ $serviceAccountName }}
restartPolicy: OnFailure
@ -39,7 +39,7 @@ spec:
{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
containers:
- name: keystone-db-init
image: {{ .Values.images.tags.db_init_keystone | quote }}
image: {{ .Values.images.tags.db_init | quote }}
imagePullPolicy: {{ .Values.images.pull_policy | quote }}
{{ tuple $envAll $envAll.Values.pod.resources.jobs.db_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
env:

View File

@ -38,7 +38,7 @@ spec:
initContainers:
{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
- name: ceph-keyring-placement
image: {{ .Values.images.tags.api }}
image: {{ .Values.images.tags.gnocchi_api }}
imagePullPolicy: {{ .Values.images.pull_policy }}
command:
- /tmp/ceph-keyring.sh
@ -93,5 +93,5 @@ spec:
name: ceph-etc
- name: ceph-keyring
secret:
secretName: pvc-ceph-client-key
secretName: {{ .Values.secrets.rbd | quote }}
{{- end }}

View File

@ -25,8 +25,6 @@ apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
name: {{ $serviceAccountName }}
annotations:
"helm.sh/hook": pre-delete
rules:
- apiGroups:
- ""
@ -41,8 +39,6 @@ apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: {{ $serviceAccountName }}
annotations:
"helm.sh/hook": pre-delete
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
@ -69,7 +65,7 @@ spec:
initContainers:
{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
- name: ceph-keyring-placement
image: {{ .Values.images.tags.api }}
image: {{ .Values.images.tags.gnocchi_api }}
imagePullPolicy: {{ .Values.images.pull_policy }}
securityContext:
runAsUser: {{ .Values.pod.user.gnocchi.uid }}
@ -88,7 +84,7 @@ spec:
readOnly: true
containers:
- name: gnocchi-storage-init
image: {{ .Values.images.tags.storage_init }}
image: {{ .Values.images.tags.gnocchi_storage_init }}
imagePullPolicy: {{ .Values.images.pull_policy }}
{{ tuple $envAll $envAll.Values.pod.resources.jobs.storage_init | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
env:

View File

@ -17,8 +17,12 @@ limitations under the License.
{{- if .Values.manifests.pod_gnocchi_test }}
{{- $envAll := . }}
{{- $dependencies := .Values.dependencies.tests }}
{{- $mounts_gnocchi_tests := .Values.pod.mounts.gnocchi_tests.gnocchi_tests }}
{{- $mounts_gnocchi_tests_init := .Values.pod.mounts.gnocchi_tests.init_container }}
{{- $serviceAccountName := print .Release.Name "-test" }}
{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
---
apiVersion: v1
kind: Pod
@ -27,28 +31,13 @@ metadata:
annotations:
"helm.sh/hook": test-success
spec:
serviceAccountName: {{ $serviceAccountName }}
restartPolicy: Never
initContainers:
{{ tuple $envAll $dependencies list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 4 }}
- name: ceph-keyring-placement
image: {{ .Values.images.tags.api }}
imagePullPolicy: {{ .Values.images.pull_policy }}
command:
- /tmp/ceph-keyring.sh
volumeMounts:
- name: etcceph
mountPath: /etc/ceph
- name: gnocchi-bin
mountPath: /tmp/ceph-keyring.sh
subPath: ceph-keyring.sh
readOnly: true
- name: ceph-keyring
mountPath: /tmp/client-keyring
subPath: key
readOnly: true
containers:
- name: {{.Release.Name}}-helm-tests
image: {{ .Values.images.tags.api }}
image: {{ .Values.images.tags.gnocchi_api }}
imagePullPolicy: {{ .Values.images.pull_policy }}
{{ tuple $envAll $envAll.Values.pod.resources.jobs.tests | include "helm-toolkit.snippets.kubernetes_resources" | indent 6 }}
env:
@ -72,10 +61,6 @@ spec:
mountPath: /etc/gnocchi/gnocchi.conf
subPath: gnocchi.conf
readOnly: true
- name: ceph-etc
mountPath: /etc/ceph/ceph.conf
subPath: ceph.conf
readOnly: true
- name: gnocchi-bin
mountPath: /tmp/gnocchi-test.sh
subPath: gnocchi-test.sh
@ -90,13 +75,5 @@ spec:
configMap:
name: gnocchi-bin
defaultMode: 0555
- name: ceph-etc
configMap:
name: ceph-etc
- name: ceph-keyring
secret:
secretName: pvc-ceph-client-key
- name: etcceph
emptyDir: {}
{{ if $mounts_gnocchi_tests.volumes }}{{ toYaml $mounts_gnocchi_tests.volumes | indent 4 }}{{ end }}
{{- end }}

View File

@ -9,18 +9,18 @@ labels:
images:
tags:
dep_check: quay.io/stackanetes/kubernetes-entrypoint:v0.2.1
storage_init: docker.io/ceph/daemon:tag-build-master-luminous-ubuntu-16.04
gnocchi_storage_init: docker.io/ceph/daemon:tag-build-master-luminous-ubuntu-16.04
db_init_indexer: docker.io/postgres:9.5
# using non-kolla images until kolla supports postgres as
# an indexer
db_init_keystone: quay.io/attcomdev/ubuntu-source-gnocchi-api:3.0.3
db_init: quay.io/attcomdev/ubuntu-source-gnocchi-api:3.0.3
db_sync: quay.io/attcomdev/ubuntu-source-gnocchi-api:3.0.3
ks_user: docker.io/kolla/ubuntu-source-heat-engine:3.0.3
ks_service: docker.io/kolla/ubuntu-source-heat-engine:3.0.3
ks_endpoints: docker.io/kolla/ubuntu-source-heat-engine:3.0.3
api: quay.io/attcomdev/ubuntu-source-gnocchi-api:3.0.3
statsd: quay.io/attcomdev/ubuntu-source-gnocchi-statsd:3.0.3
metricd: quay.io/attcomdev/ubuntu-source-gnocchi-metricd:3.0.3
gnocchi_api: quay.io/attcomdev/ubuntu-source-gnocchi-api:3.0.3
gnocchi_statsd: quay.io/attcomdev/ubuntu-source-gnocchi-statsd:3.0.3
gnocchi_metricd: quay.io/attcomdev/ubuntu-source-gnocchi-metricd:3.0.3
pull_policy: "IfNotPresent"
network:
@ -37,9 +37,11 @@ network:
port: 8125
dependencies:
clean:
services:
storage_init:
services:
db_init_keystone:
db_init:
services:
- service: oslo_db
endpoint: internal
@ -50,7 +52,8 @@ dependencies:
endpoint: internal
db_sync:
jobs:
- gnocchi-db-init-keystone
- gnocchi-storage-init
- gnocchi-db-init
- gnocchi-db-init-indexer
services:
- service: oslo_db_postgresql
@ -190,6 +193,13 @@ pod:
memory: "1024Mi"
cpu: "2000m"
jobs:
clean:
requests:
memory: "124Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
db_init:
requests:
memory: "124Mi"
@ -313,9 +323,9 @@ conf:
max_retries: -1
storage:
driver: ceph
ceph_pool: metrics
ceph_username: admin
ceph_keyring: /etc/ceph/ceph.client.admin.keyring
ceph_pool: gnocchi.metrics
ceph_username: gnocchi
ceph_keyring: /etc/ceph/ceph.client.gnocchi.keyring
ceph_conffile: /etc/ceph/ceph.conf
file_basepath: /var/lib/gnocchi
provided_keyring: null
@ -441,8 +451,9 @@ manifests:
daemonset_statsd: true
deployment_api: true
ingress_api: true
job_clean: true
job_db_init_indexer: true
job_db_init_keystone: true
job_db_init: true
job_db_sync: true
job_ks_endpoints: true
job_ks_service: true